Slashdot Mirror
Phish Scams Fooling 28% of Users
Etaipo writes "Anti-spam firm MailFrontier Inc has done some testing with consumers to see if they could differentiate between legitimate e-mails and phish scams. The results, to me, were pretty shocking.
The company also has provided a similar test on its web site. Get an answer wrong, and we revoke your geek license on the spot."
I answered 2 incorrectly as Fraud to get an 80% score so I lose 2 geek points but gain them back for erring on the side of caution. Actually I never bother with HTML mail and just skip it. That hasn't bit my butt yet.
IT's colour schemes are giving me a seizure...
Trolling is a art,
This test is like a Kobayashi Maru test on star trek. You have to alter the conditions to win. You can't see the details in the hyper links nore the refer information in the header.
Some of these fraud mails looked really legit and were mainly given away by the fact that their URLs went to something like fraudprevent-visa.com instead of fraudprevent.visa.com. fraudprevent-visa.com is a domain name that may or may not be affiliated with Visa, while fraudprevent.visa.com is a subdomain of Visa.com, meaning it's not 100% safe, but much more likely to be legit.
But asking people to know this difference is asking a bit much of them. What might be interesting would be a "Phisher Identifier" built into mail clients that could identify bogus or unauthorized URLs based on a very carefully maintained database of legitimate URLs.
Seems that a plug-in could be written for Outlook, Eudora, etc.
- Greg
Start a happiness pandemic
Let me be among the first to call "Bullshit" on this supposed test.
Any nerd worth his salt knows to first check the headers of the e-mail and Lookup the IP to see where the mail really came from, and/or view the source of the HTML and identify obfusicated URL redirects. Then again, any IT guy who is using HTML-enabled e-mail should have his geek license revoked in the first place.
When it's that easy, you can't even call it social engineering. It's just social nudging, and people are ready to fall for it.
The CB App. What's your 20?
Everytime I read a statistic like this I have to ask myself if it's even worth fighting against this kind of thing any more, or if we should consider it a tax on the stupid. Cynical, maybe, but I'm tired of explaining why you should never give out personal information via email to people and having them turn around and do exactly that a week later. I admit, some of the newer emails are getting quite professional looking, but as soon as they start asking for passwords/CC #s, red flags should go up. Sadly, many users gladly give the scammers what they're after with not a thought.
Vandemar.org
Do you have any data to back up this outrageous claim?
We've all received a number of these scams, and most of us on /. are surely not likely to fall victim.
But I can see why the confusion for some people:
1. They are intimidated the moment they sit at the computer.
2. The same people who might be skeptical as ever when dealing with a live human do not have a clue that the "internet" can be an evil place at times.
3. Some of these sights look exactly like the page they are emulating including all the other links on the page going to the real site. These people just do not know to look for "www.ebay.com" instead of 200.50.66.71 in the address bar. That is (sadly) still meaningless to a lot of people.
Education and experience on the web is likely to reduce these issues over time, but for now, it's just a way-too-easy niche opportunity for thieves and scammers to prey upon the naive.
I was once fooled believing that I received a fraudulant email making me believe it came from Sony. I wrote to Sony to report the email and they told me it was legite!
What caused me to think it was fraudulant? Well, the URLs in the email was going for something like sony.<somecompany>.com. The URL did not finish with "sony.com". The only way to figure out if an email is phoney or not is to check the URLs (assuming your browser does not have the famous URL bug which shows you a legite URL but once clicked, sends you to another site while still showing the legite URL in the URL bar), but when companies use 3rd parties to email their users and provide services, they cause these confusions.
Remember the year 2000? They promised us flying cars. They delivered the PT Cruiser...
disgusted. you are disgusted. i make this mistake all the time :/
agree about the leet speak.
i came very very close the other day to falling for a fake eBay "your account has been hacked, verify your account details" type scam. it was brilliant, no typos, perfect grammar, good layout, and most of all: i was tired when i got it. felt like a right plonker for even believing it for a second. now i have a lot more sympathy for people who fall for these things. thank god i did check the url.
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
The problem with the test is that they obscure the links. To me, the big test of a scam v. a real email is where the links point to rather than the content and the test uses javascript to obscure where they're going.
my sig's at the bottom of the page.
...that I would have clicked any of the links in the emails.
If I get any message that smells remotely like phish (i.e. any email that tells me to do something with my account), I go to my browser, and visit the site by manually entering the name of the website. If it then turns out to be a bogus email, I send a copy to the admins of the site, so they can track the insensitive clods down, and do whatever it is they do with them.
The IQ test would be a lot easier with access to full mail headers, too...
How's my programming? Call 1-800-DEV-NULL
Aw if he was God he would have removed those nasty moles on his face years ago!
copy and paste the URL rather than click it
Com'on puhlease !!!
Do you really really expect just about anyone to do do this ? It simply kills the whole purpose of the web ! It's like the typical MS security apporach to the IE activeX scripting problem : "disable everything".
Jeez... is that's your view on safety, i bet you never come out of the house. Come to think of it , when was the last time you had a breath ?
When will I end this grieving ? When will my future begin ?
Actually, they all go to #, which doesn't actually go anywhere. I call foul on this test -- it doesn't actually matter what the content of the email says (since I have no way to know that ebay would never suspend my account for not updating my info unless I actually go and look at the fraud stuff in their faq). A phishing message is easily (and only accurately) detected by looking at the address pointed to by the links within (which is what you will see banks, etc. telling you: "if you are unsure, just manually type our URL in, or call us"). How can this test be an accurate measure of people's ability to detect phishing emails if the links (the only worthy mark of a phishing email) they've given us don't actually link to real or fake sites?
Do you really need reason for beer? Wingman Brewers
Perhaps you could use a better sense of humor...
...I won't use an email client that renders HTML. Or at least, won't let me turn that off.
When I get these mails, 95% of the time I delete them unread; no legitimate business should ever need me to "confirm my information". Every so often I look at one, and since I only see the raw HTML, it's easy to see that the images and whatnot are all being pulled from the real company site, except for the "login" link which goes to some mysterious dotted quad address.
(Side note to companies: stop letting outsiders pull images off your server; only let your own pages refer to them. It's an Apache FAQ, fer cryin' out loud.)
Every so often a friend will send me HTML mail, but I can cope. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I think this poll i rubbish, mostly because I got 50 %. But let me explain...
I dont live in the US. I haven't heard of most of the companies in the poll at all, and those I've heard of (paypal, msn etc) have never crossed my mind to use. If i would have received any of those mails, of course it would have been fraud.
What I'm trying to say is, if my bank, with secure connection and proper URL, send me an email telling me to do something, i'd probably look into it. If the bank is called "usbank.com", I wouldn't click on it.
Basically, how on EARTH am I going to be able to determine whether they are frauds or not, if I'm marked incorrect when stating "usbank.com" isnt fraud?
If you disregard any messages you dont recognize, and are cautious with the rest, you are fine.
Probable impossibilities are to be preferred to improbable possibilities.
Aristotele
No, the key is, a legit email should not ask you to click a link, but rather to "go to our website" (but not provide the link).
Let the user login as usual, and he/she will be safer.
That logic gave me a 10/10 result on the test.
I agree, it was made much harder with the actual URLs removed. I think the point of the test though was see how people faired based on the look (logos, etc) and obvious content. There are the things that your *average* user looks at to determine legitimacy (not reverse lookups, urls, etc).
I got caught marking a PayPal one as fraudulent (the one where some one had made a payment), which the article says happens 20% of the time. My misread was based on the long and ugly URL with a cgi call in the middle. In real life, if I had been expecting a payment, I would most certainly have been less skeptical.
So yeah, the test isn't perfect, but it's interesting to see (from all the previous posts) just how bad tech savvy users do when they are faced with the same knowledge base as a regular user.
The biggest tipoff is when it starts off with "Dear Paypal user" or something like that. Most companies go to the trouble of putting your actual name in there, so if whoever is sending you the email doesn't even know your name...well, you figure it out. This tactic even worked in the example quiz! It's a great first pass (the second pass is of course to mouseover any URLs (or check the source) and see exactly where they're sending you.
The only example that really made me think was the MSN account expiring message. At first I thought that had to be a fake because what's the point of sending you an email telling you that you need to log into your email to save your account? Then I realized it was actually an ad for a related pay MSN service and immediatly knew that it was real.
I read the internet for the articles.
I usually am suspicions but I check where the link takes me. This test wouldnt let me check this, so I assumed that the links pointed to where they said to (www.paypal.com/whatever/ points to www.paypal.com/whatever/)
I think that makes the test inaccurate. if I click a link, it should show me the real target (even if they do a fake replica (something like 201.123.123.34/www.usbank.com/account/blah/)
Bottles.
The test was completly meaningless as you couldn't do all the correct things you SHOULD to to check the authenticity of an email.
It encorages people to base decisions based on *hunches*, which is utterly retarded. You could take a genunine email and alter the URL and you'd never know you'd been duped if you went by the examples in this test - you'd just think it looked real, click on the URL, login and end up being scammed.
This 'test' is utterly worthless as a result. You *can't* tell just by looking at the surface content of an HTML rendered email. If you can't look at the email headers or the URLs you have no way of knowing all of them arn't spoofed.
I've recently been getting some spam that has my name and some address info in the subject line. It's obviously spam, and someone trying to rip me off. I've also been getting a lot more 419 spam, and that usually has my name (although they always refer to me by my last name *sigh*). But I just wanted to point out that we all probably have a lot of info about us out there ready to be used against us. As you say, it's a good "first pass" test, but nothing more than that.
If all you have are silver bullets, everything looks like a werewolf.
On the other hand, consider that in this test, subjects were actively thinking about whether or not these emails were fraud. They had advance warning that they might be exposed to fraud. That doesn't happen in the real world...the general assumption when you get an email from a service to which you subscribe is, "Oh, this service I use is trying to contact me about something important."
It's kind of like April Fool's Day. Play a prank on somebody on April Fool's Day, when they're expecting it, and they might not fall for it, because they're on the lookout. On any other day, the same prank might succeed easily, because the victim is caught off gaurd.
We don't have a state-run media we have a media-run state.
I nearly fell for myself, except that I didn't recall having an eBay account.
You're right, but most people don't know how to check the headers, much less look up the IP. But the two easiest checks against these type of messages weren't available in the test:
1) Does it make sense that I would get this? If I don't use US Bank, for instance, it's obvious it's fraud. But for the sake of the test, I think they assume you're involved with those companies, and that's okay.
2) More importantly, they don't let you check where the links are going to. If I rollover "www.paypal.com" and in the little bar in my browser it says "www.paypal.com," I know it's alright. But if it says "ccnums.steal-this-suckers-identity.com"...
c-hack.com |
If that's so, then why did we all score so high (I got a 90% -- I thought the "paypal shipping" one [#9] was a fraud)?
The reason is that there's one way you can tell: ALL the frauds had text saying "click this link" The two legitimate ones other than #9 told you to sign in, but didn't provide a link. (although they did provide other hyperlinks -- just not to the login page)
#9 fooled me because it had a link to click.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Just want to point out that two of the "legitimate" emails on the web survey could easily have been fraudulent. These are the "Don't lose your MSN Hotmail account!" email and the "Your credit card ending in 2008 will expire soon." email.
i ".
In fact, I've seen a version very similar to the credit card expiration link that warns about typing in the URL but then goes ahead and provides a clickable link anyway. When you look at the code, the link actually goes to a completely different URL than what is displayed, using the old trickery of "http://paypal.com@12356789/cgi-bin/trickedyou.cg
For those not familiar with the trick, "paypal.com" in the above url is the login name the web browser is instructed to provide to the web server while 12356789 is the decimal representation of the web server IP address.
Only the shipping notice fails to smell fraudulent. Even that could be rigged if you wanted to, by having the tracking link require you to "open a free UPS tracking account."
Of course, if they'd provided the entire emails instead of just the html representation, any techie could have sorted it out. But not the mere mortals.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I counted them all as fraud because of the Javascript mouseovers for links.
The _only_ way to tell the real thing from the fake is to look at the actual URL the link points to.
The morons who run the test changed them all to point to their own site; so every one of them is clearly fake.
Relying on any other content in the email is just stupid; the phishers will just improve their spelling and wording until it starts fooling enough people again.
This isn't new.
Member of Orkut? Annoyed with spam?